The Benefits and Types of Knowledge-Based Authentication for Your Business

The Benefits And Types Of Knowledge Based Authentication | Insights

Delivering a satisfying online customer experience is critical for any organization with a web presence. A big part of this is trust. Most customers will shy away from a website or app that does not appear trustworthy.

This is why every organization should be taking the right steps to protect its customers’ personal information during online transactions. Getting a customer to trust you today means they will do business with you tomorrow.

Global consumer review website Trustpilot notes that “brands have to be accurate, dependable, and provide the service they guaranteed.”  And with this, identity verification is a huge part of how customers perceive their accurate and dependable experience with your brand leading to loyalty and retention.

Companies that don’t take the necessary security precautions see the consequences. In 2020 alone, many organizations such as Marriott, T-Mobile and GE have faced security breaches. To combat these security vulnerabilities, organizations need to implement new and innovative ways to protect their customers’ identities and convey trust. The best way to ensure this is by implementing a multi-level security strategy including Knowledge-Based Authentication.

Knowledge Based Authentication

Knowledge-Based Authentication, commonly known as KBA, is a simple process that requires customers to answer secret questions before they can utilize secure sections of your website or services. It allows an organization to verify a customer’s identity, using information like mailing address, phone number, age, email address, or any other piece of information expected to be unique to the customer.

KBA can work with commercial data providers such as credit bureaus that possess extensive customer records to verify information about nearly anyone. This level of authentication brings peace of mind to not only the organization but also the customer. In Q1 of 2020 alone, over 8.4 billion records have been exposed.  Having Knowledge-Based Authentication (KBA) as part of your security strategy will help keep your customers’ private information secure against these breaches.

Knowledge-Based Authentication also helps businesses comply with security regulations, especially for companies in the finance sector. Systems like these help reduce fraud and in turn, reduce the cost of fraud prevention and recovery. At the same time methods such as KBA provide increased security for customers boosting confidence in the business. Yet finance-related businesses are not the only ones employing the security power of Knowledge-Based Authentication.

At least 21% of businesses in the e-commerce sector are currently using and implementing Knowledge-Based Authentication on their websites. And about 20% of businesses in the healthcare sector use Knowledge-Based Authentication to secure patient records in their database. Some businesses also use KBA to verify access to digital services like a service portal or transaction portal, age and identity verification, user enrollment, and password retrieval.

Types of Knowledge Based Authentication

There are two types of Knowledge-Based Authentication; 1) Static KBA and 2) Dynamic KBA. Both types of KBA differ on their degrees of security, how they are implemented, and how they are used.

Static Knowledge-Based Authentication, or SKBA, is the more commonly used of the two KBA types. In Static KBA, the customer inputs his/her answers to security questions.

Should the customer need to reset a password or retrieve his/her username, the customer would need to accurately answer the security questions with the previously supplied answers.  Thus, Static KBA is sometimes referred to as a “shared secrets” or “shared secret questions.”

Questions range from “What is the name of your elementary school?” to “What is your favorite food?”.  Static KBA is typically employed by banks, financial institutions, and services like email providers to authenticate the identity of the customer before allowing access to secure data or an account. 

Behind the scenes, Static Knowledged-Based Authentication is rather simple to set-up on a website. It is also straightforward and friendly in terms of the customer experience as the customers are the ones choosing the pre-determined questions and providing their specific answers.

Dynamic Knowledge-Based Authentication, or DKBA, provides a higher degree of security because Dynamic KBA uses “out-of-wallet” questions that are not predetermined but are generated in real-time using information from different data sources. These data sources include credit bureaus, marketing databases and customer surveys.  An example of a Dynamic Knowledge-Based Authentication would be “Which of the following addresses did you live at in the past?”. From there, the customer would need to select the correct option from a provided answer list.

Because Dynamic KBA does not use a set of pre-determined questions and answers but rather accesses external databases, it is more difficult to implement compared to Static KBA. However, Dynamic KBA does provide a higher degree of security because it uses data from several different sources and questions customers on information not easily found online.

Unfortunately, this higher level security can come at  the expense of ease of use for the customer.  Yet, the customer experience can actually be enhanced by adding these additional security features through thoughtful design and educating users on how the security features work and add value to their experience.

Best Practices

With Dynamic KBA specifically, the security benefits associated with the use of out-of-wallet questions are dependent on the data used during authentication. That is why it is important to follow industry best practices including using trustworthy data sources and using meaningful questions.

The first best practice is using reliable data sources. The reliability of the source of the data is directly related to the level of security the authentication provides.

These sources, such as existing account information or trusted third-party sources such as credit bureaus, should utilize non-traditional data to generate unique questions including a diversionary question designed to throw a fraudster off.

Another best practice is including questions that are a balance between convenience and security. Asking a question that is too complex can create insurmountable obstacles for customers to access their data and thus negatively affect the customer journey.  Yet a question that is too simple can open the floodgates to fraudsters.  Hence, it is important to explain the security features to the customer and include reasonable and unique questions.


Knowledge-Based Authentication provides an additional level of security for websites that need to know their customers are who they say they are. However, the actual level of security it provides can vary greatly based on implementation. The most successful business will find a way to strike a balance between security and customer experience, lest they lose the very customers they seek to protect.